DNS

DNS analysis

Third-Party Tools

Use these first, as it is completely passive and uses Internet infrastructure instead of your own machine.

Dig

Powerful linux based tool used to gather and analyze dns records

Gather All Records for a Domain

This command uses 192.168.1.1 to gather information

dig @192.168.1.1 sec542.org -t any
dig @192.168.1.1 sec560.org +norecursive    # Turns off recursion
dig @192.168.1.1 sec560.org +recursive      # Turns on recursion

Simplified PTR Lookups

Using the -x flag is the same as dig 23.1.168.192.in-addr-arpa PTR

dig -x 192.168.1.23

Attempt Full Zone Transfer

Very unlikely to work, most domains should not allow external zone transfers. More likely to happen from the inside though. Always attempt this anyway!

dig @<network dns server> m4lwhere.org -t axfr
dig @<network dns server> AXFR m4lwhere.org

nslookup

We can use nslookup from a windows host to try and gather information as well.

C:\Users\m4lwhere> nslookup
> server 10.0.0.1
> set type=AXFR
> ls -d goblins.local

DNSrecon

Multi-threaded DNS tool written in python 3

dnsrecon -d m4lwhere.org -n 8.8.8.8

DNS Brute Forcing

Attempt to enumerate DNS hostnames by guessing subdomains.

Gobuster

Uses gobuster for DNS subdomain, is multi-threaded 😎

gobuster dns -d m4lwhere.org -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt

Nmap Script

Lots of switches for this command

nmap --script dns-brute --script-args dns-brute.domain=foo.com,dns-brute.threads=6,dns-brute.hostlist=./hostfile.txt,newtargets -sS -p 80

PreviousOSINT NextDomain Discovery

Last updated 3 years ago

hashtagThird-Party Tools

hashtagDig

hashtagGather All Records for a Domain

hashtagSimplified PTR Lookups

hashtagAttempt Full Zone Transfer

hashtagnslookup

hashtagDNSrecon

hashtagDNS Brute Forcing

hashtagGobuster

hashtagNmap Script